Security Vulnerabilities Exposed in Facilities

Most organizations want effective security, but achieving it involves so many factors that security efforts often ultimately fall short in one important way or another. Unfortunately, with security, a single Achilles heel can be catastrophic. The following four stories, drawn from the writer’s personal experience, offer a glimpse of the kinds of vulnerabilities that can exist in facilities. All are based on actual events — though the entities, names, and locations are changed — and teach useful lessons about principles that can minimize loss of life and information, and protect an organization’s brand and image.

1. Pay attention to all aspects of security. Organizations sometimes hire a third-party security team to try to break into their facilities. It’s a way of testing real, not hypothetical, vulnerabilities.

In one case, the assignment was to gain access to a riser/data closet, and if possible, the main Network Operation Center. The team’s first step was to covertly conduct surveillance of the property, using satellite imagery and street views to stay inconspicuous. On first impression, the facility was immensely secure: A large fence encircled the property and the three primary entries appeared to be staffed. Security was 24/7. The security department, however, was housed in a guard house at the property’s edge, and the guards’ comings and goings could be seen at all times of the day and especially at night, when security was reduced from four guards to two.

The team, including remote support personnel, did its homework. It observed peak pedestrian and vehicle flows; gathered supplies to make fake ID cards, such as a portable, high-resolution ink-jet printer; and dug up names of individuals within the company such as facilities, security, and high-ranking individuals from various departments via the Internet and social media. The biggest find: architectural drawings of the facility which identified lunch rooms, break rooms, conference areas, and a large unnamed room which appeared to be the facility’s data center.

Approaching the facility in their car, team members flashed IDs, as they had seen others do, and the security guard raised the vehicular barrier. Getting past an access-controlled exterior door was easy. One member of the team carried a series of empty cardboard boxes, while putting on some fake exertion, and asked a woman with whom he had started a conversation to please hold the door.

Inside was a surprise: a row of optical turnstiles. A security guard was watching. Once again, however, the cardboard boxes did the trick, and the security guard allowed the stranger to use the emergency stairwell. In the stairwell, it was just a question of finding the one door that did not close properly.

Most employees paid no attention to the stranger wearing a baseball cap and looking at a drawing. One woman asked if she could help, but her concerns were allayed by the mention of the facility director’s name. She then pointed the stranger in the direction of the riser closet that she said was next to the men’s restroom.

Although the riser closet was access controlled, it was equipped with an electric strike that had been cut into the frame, which made the door inherently unsecured. A credit card retracted the latch — and the riser closet had been breached. (For more details on how social engineering can be used to breach security, see the online sidebar, “How a Smooth-Talking Intruder Can Defeat Building Security,” at facilitiesnet.com/16193BOM.)

The moral of the story? Just because a facility appears to be secure does not mean it is. More importantly, a security program needs to involve all aspects of security (operational, physical, and technical) to be successful.